Maintenance Notification:
On next Monday August 5th 2019 starting at 7am CEST we will conduct some maintenance. You might encounter some issues using the Exasol User Portal and Issue Tracker! We will restore the Exasol User Portal and Issue Tracker before 9am CEST on Monday August 5th 2019.

You are currently viewing an old documentation portal. This content will be removed on June 18th, 2019. Please view our current documentation portal at http://docs.exasol.com/.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue

Using Kerberos for Single Sign-On to Exasol.

Exasol supports single-sign functionality using Kerberos. By supporting Kerberos based single sign-on (in JDBC and ODBC), users can authenticate to Exasol using their Kerberos credentials. This allows for a seamless user experience.

Kerberos is centered around its Key Distribution Center(KDC). To use Kerberos based single sign-on in Exasol, a keytab file must be provided by your Key Distribution center or by your Active Directory administrator for Windows system. This keytab file consists of the service principles for Exasol databases. This keytab file is uploaded through EXAoperation.

Note

This feature is only available from 6.0.8 release.

Enabling Kerberos in Exasol

You can follow the belows below steps to enable Kerberos in Exasol. 

Panel
bgColor#f8f9f7
titleBGColor#e9f4e3
titleEnable Kerberos in Exasol
  1. Open EXAoperation and in EXASolution click on the appropriate database name to open the EXASolution Instance for it.
  2. Shut down the database if it is running by selecting Shutdown from the Actions dropdown list and clicking Submit. Wait until the database is offline.
  3. Upload the keytab file to be used in the cluster by clicking the Browse button located at the bottom and then clicking Upload Keytab File.



  4. As an optional step after you have uploaded the keytab file, you can set additional parameter values. Click Edit to edit the database and set the values for the following parameters.
    • Kerberos Service Name
    • Kerberos Host Name
    • Kerberos Realm



    Info

    Setting these values are optional. For a brief description of these parameters, refer to the table below.


  5. Click Apply and then start the database.

The following table provides you with a brief description of the parameters:

ParametersDescription
Kerberos Service Name

If a Kerberos Service name is specified, then only the specified Kerberos service can be requested by the client. If there is no service name specified, then all the service requested by the client is accepted provided the service exists in the keytab file uploaded. 

The default service name is exasol.

Kerberos Host Name

If a hostname is specified, then only that hostname is accepted by the client, regardless of whether the uploaded keytab file contains entries for other hostnames. The host name of the Kerberos principal is valid cluster-wide, which means it can be considered virtual. If no hostname is specified, then the hostname will not be checked during Kerberos authentication.

Kerberos Realm

If a Kerberos realm is specified, then only users of this realm will be accepted, regardless of whether the uploaded keytab contains entries for other realms.

If no Kerberos realm is specified, then by default users from all the realms are accepted, provided there is an entry of the realm in the keytab file.



Related Tasks

For more information on managing Exasol users with Kerberos authentication and how to configure clients to use Kerberos, refer to 

Jira
serverIssue Tracker
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverIdccda1d1d-5892-3e94-8a35-365616366603
keySOL-595